How The NSA Targets Tor 234
The Guardian has released new documents from Edward Snowden showing how the U.S. National Security Agency targets internet anonymity tool Tor to gather intelligence. One of the documents, a presentation titled "Tor Stinks," bluntly acknowledges how effective the tool is: "We will never be able to de-anonymize all Tor users all the time. With manual analysis we can de-anonymize a very small fraction of Tor users, however, no success de-anonymizing a user in response to a TOPI request/on demand." (Other documents: presentation 1, presentation 2.) The NSA is able to extract information sometimes, though, and Bruce Schneier details what we know of that process in an article of his own. "The NSA creates 'fingerprints' that detect http requests from the Tor network to particular servers. These fingerprints are loaded into NSA database systems like XKeyscore, a bespoke collection and analysis tool which NSA boasts allows its analysts to see "almost everything" a target does on the internet. ... After identifying an individual Tor user on the internet, the NSA uses its network of secret internet servers to redirect those users to another set of secret internet servers, with the codename FoxAcid, to infect the user's computer. FoxAcid is an NSA system designed to act as a matchmaker between potential targets and attacks developed by the NSA, giving the agency opportunity to launch prepared attacks against their systems." Schneier explains in a related article why it's important that we figure out exactly what the NSA is doing. "Given how inept the NSA was at protecting its own secrets, it's extremely unlikely that Edward Snowden was the first sysadmin contractor to walk out the door with a boatload of them. And the previous leakers could have easily been working for a foreign government."
Insufficient data to draw useful conclusions (Score:5, Interesting)
A few days ago a well known Tor developer was getting angry on Twitter because he thought the Guardian was holding back a story on Tor due to redacting requests and pressure from governments.
The presentations cited date from 2007. That's 6 years ago and tells us diddly squat about their current capabilities. All it tells us, really, is that in 2007 they had developed some working techniques in the lab, and were talking about the same kinds of attacks that were being discussed in public. It also tells us they use custom malware - but that was already revealed previously.
The Snowden files contain a complete copy of GCHQ's internal wiki. It seems highly unlikely that there is no further information on Tor after 2007. Rather, it feels like the British and American governments treat their capabilities against Tor as one of their most valuable secrets and applied significant pressure, the resulting compromise being "you can make a story about Tor, as long as it's based on old information that is no longer relevant".
They target Tor via the ISP's (Score:5, Interesting)
Re:How about the nodes (Score:5, Interesting)
Interesting. If I worked for NSA, I would try to. It would give some more information. Though on the other hand, they may just as well run their own nodes to get that information (oh yes, they do this already), and hacking 'normal' people just for the lulz always increases the chance of information about your operations getting out.
In short: It would be stupid to hack you just because you're running a node, unless you're their target in some other way.
Re:How about the nodes (Score:5, Interesting)
Not according to this latest leak (who knows about future leaks).
As I read this leak, TOR isn't broken (I the sense that the NSA isn't recording all unencrypted TOR traffic, the way some had feared). The NSA doesn't root all nodes. If they're interested in some specific person, they break their anonymity by rooting them specifically. But I still need to go read Bruce's analysis.
I find it interesting/amusing that when Freedom Hosting was busted, and the FBI left behind a rootkit on the hosted servers to infect users wholesale, that wasn't an NSA payload - it was a 0-day they bought on Silk Road. For all that this spying pisses me off on principle, I love that bit: someone at the FBI has a sense of humor, or at least irony.
Re:TAILS (Score:4, Interesting)
I think you've misunderstood the attack.
1. They can identify anyone using TOR by looking at the encrypted traffic. Doesn't matter what you're running.
2. Using their privileged position on the internet backbone, they can perform MitM attacks by responding faster than the real servers, so they server you their malware package while serving the original content. Doesn't matter what you're running.
3. The NSA has 0-days for everything, so now you're rooted. Doesn't matter what you're running. And likely de-anonymized at this point.
4. If you're using a live CD, you might stop being rooted when you power down. Unless the NSA has a 0-day for your BIOS, which is certainly possible, in which case even that didn't help.
This is the full financial power of a Cold War military intelligence branch being directed against individual citizens. Doesn't matter what you're running, you brought a knife to a gun fight, and they brought an armor division.
Re:a related question (Score:5, Interesting)
Because he knew that if there was an indiscriminate data dump, governments would use that to distract from the real meat. By getting professional journalists to digest the data into understandable stories, he ensured that would not happen. Also he feels details about specific operations or sites or whatever isn't really important to the debate, which is what he cares about the most.
Now that said, we'll have to see if he is happy with the current level of disclosures. My impression so far is that he has been very happy with how things worked out. But this is a guy who had EFF and Tor stickers on his laptop. If he knows Tor is broken and the Guardian do stories implying that it's not, it'll be interesting to see if he has any reaction to that. Right now he's lying low because he wanted to fade away so the stories focus on the material - and that's something he has done amazingly well.
Re:The plan (Score:2, Interesting)
Find FoxAcid related boxes.
Exploit the shit out of said boxes. (win2k3 lol)
Enjoy mayhem.
You approach a military roadblock. You see one guy manning the roadblock, and he's unarmed. Why do you think that is?
When you know an organization cares about security, and you don't see the security, what should you conclude?
Re:How about the nodes (Score:5, Interesting)
There's a subtle but profound point there. Most warrantless searching of internet stuff has been done under the banner of "no reasonable expectation of privacy". But a TOR user has taken active steps to ensure his privacy - this traffic is as much "not public" as we have the technology to make it. If you don't (legally) have a reasonable expectation of privacy when you go that far, It gives lie to the excuse in the first place.
Re:TAILS (Score:4, Interesting)
1. They can identify anyone using TOR by looking at the encrypted traffic. Doesn't matter what you're running.
Maybe. But they do this by injecting cookies and then trying to find those cookies later on the unencrypted Internet, once you've turned off Tor. This doesn't work so well if you're using the browser bundle, or some sort of Live CD, but it may work on
Sorry, I was unclear. They can easily identify TOR traffic as TOR traffic - they can identify that you are a user of TOR. Governments with far less resources can do this, and block all TOR traffic. There was a /. story about this some years back, on the TOR team trying to respond but admitting it would always be an arms race.
Doing a blind root on a BIOS is pretty unlikely. In fact, rooting someone who doesn't have a browser/OS combination that has a pre-built exploit make is much less likely. Especially even moreso if you spoof the user agent.
Yes - this is the one area where I do doubt even the NSAs capabilities. But the user agent has nothing to do with it - TOR tries to make everyone's browser fingerprint look the same anyhow - if you changed it in some way there are attacks based on having that unique fingerprint (no clue how real such attacks are). Regardless, most TOR users are running a recent browser bundle on a very limited choice of OSs, and this is one case where Windows likely isn't the biggest target.
Re:How about the nodes (Score:2, Interesting)
It does make a comedy of the TOR groups presentations to the FBI in recent years, though, about why TOR should remain legal.
What, what? Forgive my probable naivete, but shouldn't that be the other way around? It should remain legal unless the FBI has some compelling arguments otherwise. First and Fourth amendments, and all that.
How did you guys miss this? (Score:2, Interesting)
"It is a Windows 2003 computer configured with custom software and a series of Perl scripts. These servers are run by the NSA's tailored access operations, or TAO, group."
If they are using Windows Server 2003 for their MITM attacks, you would think someone could come up with a way to identify and infect them.